The CNCF Technical Oversight Committee (TOC) has voted to accept in-toto as a CNCF incubating project. 

in-toto is a framework that protects the software supply chain by collecting and verifying relevant data. It does so by enabling libraries to collect information about software supply chain actions and allowing software consumers and project managers to publish policies about software supply chain practices that can be verified before deploying or installing software. In short, it helps to capture what happened in the software supply chain and ensure that it happened according to a defined policy.

The in-toto project was created in 2015 by the Secure Systems Lab of New York University’s Tandon School of Engineering. Since then, it’s been constantly evolving to better adapt to practices in different software ecosystems and better integrate with other cloud technologies, such as SPIFFE and SPIRE. Since a chain is only as strong as its weakest link, the project remains malleable enough to protect every aspect of the software supply chain — from source code to admission in a Kubernetes cluster and beyond.

“Supply chain security is one of the biggest challenges facing the software ecosystem today,” said Justin Cormack, CNCF TOC member and project sponsor. “A typical software supply chain is composed of multiple steps “chained” together, including writing, testing, packaging, and distributing software. More steps mean more places an organization can be vulnerable. in-toto addresses this issue by providing secure and trustworthy ways to represent and attest all the operations within the cloud native pipeline. We are seeing strong community support for this.”


Since joining the CNCF Sandbox in 2019, in-toto has attracted more than 132 Contributors from 16 plus different organizations and now has 8 maintainers and approvers from 5 organizations. 

Over the past three years, the in-toto team has focused on achieving stability by adding or modifying features, including support for SPIFFE, more expressive evidence collection, and implementations in different languages, like Rust. The project has also been integrated into crucial security applications such as Reproducible Builds and Sigstore.

in-toto has been adopted in production by organizations including Datadog, Google Grafeas, Kubesec.io, rebuilderd, SolarWinds, Sigstore’s Cosign, and more. It is used by Datadog to secure their pipelines and by SolarWinds to avoid future compromises of the same magnitude as 2019’s SUNBURST hack. In addition, projects such as rebuilderd produce in-toto attestations to allow for cryptographically-verifiable build-reproducibility checks. Lastly, projects such as cosign, part of Sigstore, use in-toto as an underlying technology to attest to various supply chain actions. In fact, in-toto is the second most used mechanism on sigstore.

in-toto was also the first project to go through the security assessment by CNCF’s TAG Security. 

Notable Milestones:

“Over the past few years, we’ve seen an increase in frequency and severity of attacks across the software supply chain with even the White House issuing an executive order recently,” said Chris Aniszczyk, CTO of the Cloud Native Computing Foundation. “We’re excited to have a project offering innovation in the supply chain security space, and we look forward to seeing collaboration among the community to continue to make the cloud native ecosystem more secure.”

Since the release of 1.0 in 2020, in-toto has focused on providing stability for existing integrations. In the coming year, the team is planning to add exciting new features, including support for expressive type tracking during evidence collection, better native support for SLSA attestation handling, and a simpler policy language, as well as a collection of “best supply chain practices” policies to ease adoption for projects looking to secure their supply chains. Read more in the project Roadmap
As a CNCF-hosted project, in-toto is part of a neutral foundation aligned with its technical interests, as well as the larger Linux Foundation, which provides governance, marketing support, and community outreach. in-toto joins incubating technologies Argo, Buildpacks, Chaos Mesh, CIlium, CloudEvents, CNI, Contour, Cortex, CRI-O, Crossplane, Dapr, Dragonfly, emissary-ingress, Falco, Flagger, Flux, gRPC, KEDA, Knative, KubeEdge, Litmus, Longhorn, NATS, Notary, OpenMetrics, OpenTelemetry, Operator Framework, SPIFFE, SPIRE, and Thanos. For more information on maturity requirements for each level, please visit the CNCF Graduation Criteria.